The New US Antispam Law

You might be aware that the US Congress recently passed the CAN-SPAM Act--a bill targeted at making certain kinds of spam illegal--and that President Bush signed the bill into law. Let's look at the law, which took effect January 1 and which might pertain to messages sent from your Exchange Server system. (I'm not an attorney. To be certain you comply with the law, get competent legal advice.)

CAN-SPAM applies to all commercial email, not only unsolicited commercial email (UCE). Therefore, the email that you send is subject to the same limits that apply to notorious spammers such as Alan Ralsky. Those limits include several "thou shalt nots":

- The law provides for civil (not criminal) sanctions for violators who use deceptive subject lines.

- Every sender of commercial email must provide a return address or Web link so that recipients can opt out of future mailings; civil penalties apply for sending email to people who have opted out.

- The body of UCE messages must state that the messages are advertising or solicitations.

- "Sexually oriented" material (a vague term if ever there was one) must be labeled according to a standard that the Federal Trade Commission (FTC) hasn't released yet.

- Spammers are prohibited from mounting dictionary attacks, harvesting addresses from the Web, and exploiting open relays.

These prohibitions and limits raise two questions: Will the law actually help reduce the amount of spam we all get, and how will the law affect legitimate companies? The answer to both is "It's hard to say."

First, much of the spam that clogs our Internet mail infrastructure is sent by people and organizations outside the United States. The whole issue of making US law apply outside the United States is a topic I'm going to stay far away from. What will happen to US residents who operate spamming factories outside the United States isn't clear. At this point, I think this law will drive low-end spammers (e.g., those who don't make enough money to hire high-end legal talent) out of business, but the biggest offenders will be with us for a while.

Second, the provisions that require labeling and opt-out are pretty clear, and companies that don't follow them can be found liable for civil damages if someone is so aggrieved that he or she files suit in federal court. Many companies that send large-volume mailings to customers use outsourcers and will be off the hook after the outsourcers make the necessary changes to their systems. More companies will probably turn to outsourcing mass mailings as a result of this law, and others will hold off on their mailing efforts while they figure out exactly what they need to do to comply.

For more analysis of the law and its potential repercussions, see the December 12, 2003, issue of the Center for Democracy and Technology's (CDT's) email newsletter (at the URL below). In the meantime, don't get rid of your filtering software. I still receive about 100 spam messages per day in my personal mailbox, even now that the law has taken effect. I expect spam to continue pretty much unabated for a while yet.